Identify stolen credentials to improve security intelligence

Data is the heart of an organization, and IT security teams are its protectors. Businesses spend billions of dollars per year setting up fortresses to safeguard data from anyone who dare try to take it. The latest forecast from analyst firm Canalys has IT security spending increasing to $30.1 billion by 2017. Despite this investment, data breaches are on the rise.

The tools that hackers use are evolving at a rapid pace, making it impossible for IT security teams to keep up. However, the tactics remain the same. Companies that focus only on shielding themselves from obvious intrusions, like malware, will find themselves in a losing battle against sophisticated hackers. Successful IT security teams recognize the potential in leveraging existing security event management and information (SIEM) repositories to identify suspicious user activity that occurs after the point of entry, yet before data is stolen.

An acute focus on malware detection as the basis of a security strategy will have enterprises always playing catchup, as hackers immediately try to find new ways around the latest defense technologies that come onto the market. New malware threats are being created at a rate of 82,000 per day, which helps explain why a recent study found that despite improved defensive capabilities, 97 percent of surveyed networks still experienced a breach.

As hard as businesses might try to prevent malware infection through detection or employee education, all it takes is one employee clicking a bad link and a hacker can gain a foothold on an organization’s IT network. Check Point found in its 2014 Security Report that of the organizations it tracked, 84 percent had malware infections. Even more alarming is that in 2013, 58 percent of organizations had malware downloaded by employees every two hours or less, which was more than triple the amount from 2012.

Just as hackers’ tools evolve, so do the ways in which users interact with the IT environment. The general idea of the office has become more nebulous. From BYOD practices to cloud storage to remote working trends, it’s easier than ever for an employee to VPN into a network from anywhere in the world, be it his home, hotel or airport. While this helps improve business efficiency, it opens up several new opportunities for hackers to access a business network. Even if the business has an iron-tight security posture, what about partners and outside vendors that also have access to the network? It wasn’t an employee whose credentials were compromised in last year’s Target data breach, for example, but those of an HVAC vendor.

To reverse this asymmetric advantage favoring hackers, enterprises can focus on what happens after the point of compromise. The purpose of malware is not to disrupt a network, but to steal user credentials to enable hackers to sneak around IT environments undetected. Once activated, malware removes any trace of its existence, typically within an hour. And it’s working, as the majority of network intrusions are a result of stolen user credentials. It’s time to take the steam out of the hacking engine.

Preventing data breaches shouldn’t be a land war, but an intelligence one. While updating anti-virus signatures and investing in malware protection is obviously important, companies need to also maximize security intelligence. What makes this a challenge for IT security teams is that impersonating users will typically fly under the radar without a system in place to quantify security alerts or identify abnormal behavior. And with 10,000 alerts per day for the average U.S. company, with upwards of 150,000 for more active ones, it’s easy to get desensitized. Target learned this the hard way, and it resulted in one of the biggest data breaches in history. The company received an alert to what was going on, but it got lost in the shuffle until it was too late.

With the abundance of information SIEM systems produce, big data security analytics can play an integral role in reducing data breaches. However, companies need a better way to detect valid versus invalid user behavior. IT security teams can make improvements by establishing a baseline of normal user behavior for all network access credentials. In tracking these users, businesses will know how and when they access IT assets. Once this has been determined, IT security teams will have a better method of detecting anomalies and determining how far they deviate from the norm. Of course, not every anomaly is cause for concern, which is why it’s important to quantify these by identifying patterns of suspicious behavior.

It’s not a matter of if a company suffers a data breach, but when. While malware tools change, the tactical use of them to steal user credentials hasn’t. Therefore, IT teams need to improve security intelligence to more quickly respond to attempted theft. Focusing on what happens after the point of compromise is where IT security teams can make significant progress in preventing breaches.